Can't configure a simple IPSec (manual SA/SP)
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Fri Oct 25 13:42:28 UTC 2013
On Fri, Oct 25, 2013 at 11:20:11AM +0200, Olivier Cochard-Labb? wrote:
> Hi all,
Hi.
> I'm trying to configure simple static IPSec SA/SP in tunnel mode on my
> FreeBSD 9.2-RELEASE (crypto + ipsec added to the kernel) but the IPSec
> configuration seems to be ignored.
>
> local private net (em0): 10.0.12.0/24
> local end-point IP (em1): 10.0.23.2
> remote private net: 10.0.45.0/24
> remote end-point IP: 10.0.34.4
>
> I'm configuring the static SA/SP entries like that:
>
> flush;
> spdflush;
> spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec
> esp/tunnel/10.0.23.2-10.0.34.4/require;
> spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec
> esp/tunnel/10.0.34.4-10.0.23.2/require;
> add 10.0.23.2 10.0.34.4 esp 0x1000 -E 3des-cbc "3des_compliant_password1";
> add 10.0.34.4 10.0.23.2 esp 0x1001 -E 3des-cbc "3des_compliant_password2";
>
> This configuration seems correctly applied:
[seems good]
> But when a machine in local_private_net try to ping a
> remote_private_net, the traffic is not tunnel/encrypted:
>
> [root at R2]~# tcpdump -pni em1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 10:35:21.284571 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
> seq 0, length 64
> 10:35:22.288836 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
> seq 1, length 64
> 10:35:23.298386 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
> seq 2, length 64
>
> I've try to enable IPSEC_DEBUG on my kernel: I've got nothing in my log.
>
> How can I get a more verbose IPsec log for spotting my problem ?
I'm not sure your problem is directly related to your IPsec
configuration: your packet may just not reach the IPsec stack for some
reason to be understood.
Do you use some bridging configuration ? Do you have some kind of
filtering/NAT rules ? Some complex routing tables ?
Can you send the output (on your IPsec gate) of:
sysctl -a net.inet.ip.fastforwarding
Have also a look at the output of "netstat -s", and check all sections
related to IPsec (pfkey, ipsec, esp).
Yvan.
More information about the freebsd-net
mailing list